CVE-2024-25635

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Feb 19, 2024

Updated: Dec 18, 2024

CWE ID 612

Summary

CVE-2024-25635 is a vulnerability affecting the alf.io ticket reservation system prior to version 2.0-Mr-2402. This issue allows organization owners to view the API keys and user details of other organization owners using the `http://192.168.26.128:8080/admin/api/users/<user_id>` endpoint. The user ID provided in the endpoint may also reveal the API key embedded in that user's username. This vulnerability poses a significant risk as it exposes sensitive information and can lead to unauthorized access. The issue has been resolved in version 2.0-M4-2402.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/uc8p2O
https://www.cve.org/CVERecord?id=CVE-2024-25635
https://nvd.nist.gov/vuln/detail/CVE-2024-25635

Back to Vulnerability Database

CVE-2024-25635

CVSS 3.1 Score 8.8 of 10 (high)

Details

Summary

Affected Vendors

Advisories, Assessments, and Mitigations